Wireshark-dev: Re: [Wireshark-dev] Feeding the 802.15.4 Dissector

From: Tomasz Moń <desowin@xxxxxxxxx>
Date: Wed, 31 Jul 2013 07:35:30 +0200
On Tue, Jul 30, 2013 at 3:49 PM, Rui Pedro Caldeira
<rpcaldeira@xxxxxxxxxxx> wrote:
> Hello, I'm using Wireshark to read from a pipe and i'm using the native IEEE
> 802.15.4 dissector, but I'm having trouble feeding Wireshark the proper
> bytes. I've tried to search but I can't find the right sequence of bytes the
> dissector is waiting for.
>
> Can anyone help me? Thanks in advance.

Not sure if that's exactly what you are asking for, but:

802.15.4 dissector does following in proto_reg_handoff_ieee802154:

    dissector_add_uint("wtap_encap", WTAP_ENCAP_IEEE802_15_4,
ieee802154_handle);
    dissector_add_uint("wtap_encap",
WTAP_ENCAP_IEEE802_15_4_NONASK_PHY, ieee802154_nonask_phy_handle);
    dissector_add_uint("wtap_encap", WTAP_ENCAP_IEEE802_15_4_NOFCS,
ieee802154_nofcs_handle);
    dissector_add_uint("sll.ltype", LINUX_SLL_P_IEEE802154, ieee802154_handle);

If you look into wiretap/pcap-common.c you will find that following
linktypes are assigned for the WTAP_ENCAP_ defines:

    /* IEEE 802.15.4 Wireless PAN */
    { 195, WTAP_ENCAP_IEEE802_15_4 },
    ...
    /* IEEE 802.15.4 Wireless PAN non-ASK PHY */
    { 215, WTAP_ENCAP_IEEE802_15_4_NONASK_PHY },
    ...
    /* IEEE 802.15.4 Wireless PAN no fcs */
    { 230, WTAP_ENCAP_IEEE802_15_4_NOFCS },

Now, get over to the tcpdump linktypes [1] and check the descriptions
for 195, 215, 230. Choose the one that is closest match to your data
and then set that number as linktype in pcap header.

[1] http://www.tcpdump.org/linktypes.html